## Hardware abstraction layer. ######################################## ## ## Execute hal in the hal domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`hal_domtrans',` gen_require(` type hald_t, hald_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, hald_exec_t, hald_t) ') ######################################## ## ## Get attributes of hald processes. ## ## ## ## Domain allowed access. ## ## # interface(`hal_getattr',` gen_require(` type hald_t; ') allow $1 hald_t:process getattr; ') ######################################## ## ## Read hal process state files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_read_state',` gen_require(` type hald_t; ') ps_process_pattern($1, hald_t) ') ######################################## ## ## Trace hald processes. ## ## ## ## Domain allowed access. ## ## # interface(`hal_ptrace',` gen_require(` type hald_t; ') allow $1 hald_t:process ptrace; ') ######################################## ## ## Inherit and use hald file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`hal_use_fds',` gen_require(` type hald_t; ') allow $1 hald_t:fd use; ') ######################################## ## ## Do not audit attempts to inherited ## and use hald file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_use_fds',` gen_require(` type hald_t; ') dontaudit $1 hald_t:fd use; ') ######################################## ## ## Read and write hald unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`hal_rw_pipes',` gen_require(` type hald_t; ') allow $1 hald_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read and ## write hald unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_rw_pipes',` gen_require(` type hald_t; ') dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Send to hald over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dgram_send',` gen_require(` type hald_t, hald_var_lib_t; ') files_search_var_lib($1) dgram_send_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) ') ######################################## ## ## Send to hald over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`hal_stream_connect',` gen_require(` type hald_t, hald_var_lib_t; ') files_search_var_lib($1) stream_connect_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) ') ######################################## ## ## Do not audit attempts to read and ## write hald unix datagram sockets. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_rw_dgram_sockets',` gen_require(` type hald_t; ') dontaudit $1 hald_t:unix_dgram_socket { read write }; ') ######################################## ## ## Send messages to hald over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dbus_send',` gen_require(` type hald_t; class dbus send_msg; ') allow $1 hald_t:dbus send_msg; ') ######################################## ## ## Send and receive messages from ## hald over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dbus_chat',` gen_require(` type hald_t; class dbus send_msg; ') allow $1 hald_t:dbus send_msg; allow hald_t $1:dbus send_msg; ') ######################################## ## ## Execute hal mac in the hal mac domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`hal_domtrans_mac',` gen_require(` type hald_mac_t, hald_mac_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) ') ######################################## ## ## Write hald log files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_write_log',` gen_require(` type hald_log_t; ') logging_search_logs($1) write_files_pattern($1, hald_log_t, hald_log_t) ') ######################################## ## ## Do not audit attempts to write hald ## log files. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_write_log',` gen_require(` type hald_log_t; ') dontaudit $1 hald_log_t:file { append write }; ') ######################################## ## ## Create, read, write, and delete ## hald log files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_manage_log',` gen_require(` type hald_log_t; ') logging_search_logs($1) manage_files_pattern($1, hald_log_t, hald_log_t) ') ######################################## ## ## Read hald temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_read_tmp_files',` gen_require(` type hald_tmp_t; ') files_search_tmp($1) allow $1 hald_tmp_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to append ## hald libraries files. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_append_lib_files',` gen_require(` type hald_var_lib_t; ') dontaudit $1 hald_var_lib_t:file append_file_perms; ') ######################################## ## ## Read hald pid files. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`hal_read_pid_files',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Read and write hald pid files. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`hal_rw_pid_files',` refpolicywarn(`$0($*) has been deprecated, please use hal_rw_runtime_files() instead.') hal_rw_runtime_files($1) ') ######################################## ## ## Create, read, write, and delete ## hald pid directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`hal_manage_pid_dirs',` refpolicywarn(`$0($*) has been deprecated, please use hal_manage_runtime_dirs() instead.') hal_manage_runtime_dirs($1) ') ######################################## ## ## Create, read, write, and delete ## hald pid files. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`hal_manage_pid_files',` refpolicywarn(`$0($*) has been deprecated, please use hal_manage_runtime_files() instead.') hal_manage_runtime_files($1) ') ######################################## ## ## Create, read, write, and delete ## hald runtime directories. ## ## ## ## Domain allowed access. ## ## # interface(`hal_manage_runtime_dirs',` gen_require(` type hald_runtime_t; ') files_search_pids($1) manage_dirs_pattern($1, hald_runtime_t, hald_runtime_t) ') ######################################## ## ## Read and write hald runtime files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_rw_runtime_files',` gen_require(` type hald_runtime_t; ') files_search_pids($1) allow $1 hald_runtime_t:file rw_file_perms; ') ######################################## ## ## Create, read, write, and delete ## hald runtime files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_manage_runtime_files',` gen_require(` type hald_runtime_t; ') files_search_pids($1) manage_files_pattern($1, hald_runtime_t, hald_runtime_t) ')